array_rand is not cryptographically safe

[spfmoby]

Your getRandomWord() function picks a word in the file using the php array_rand() function.

https://www.php.net/manual/en/function.array-rand.php explicitly says that this function should not be used for cryptographic purposes.

[gregor-j]

The array_rand() function is used in three places:

1. Dictionaries\DictionaryFile::getRandomWord()
2. Generators\ManageRandomItemsTrait::remove()
3. Generators\RandomCharacter::add()

ad 1.
The DictionaryFile class is in this repository for demonstration. I strongly sugguest to use a database full of words instead of files, and a model class implementing DictionaryInterface which chooses a rand() random_int() line from that database.
However, you are right: Even for demonstrational purposes, array_rand() is at a critical position. This has to be replaced.

ad 2.
This only affects the removal of a random word. I don't think that the use of array_rand() at this position has any real-world effects. However I can replace it with rand() random_int() while I'm at it.

ad 3.
This might become a problem, if someone uses this class as a classic password generator and not for generating a separator character. This has to be replaced too.

Thanks for pointing out that problem.

[spfmoby]

rand() is not better, you should use random_int() instead (for php >= 7)
For the array (DictionaryFile) you can count the number of lines then generate a random int between 0 and this number (using random_int() )

[gregor-j]

Replaced all functions in question.